Replacing meek: Snowflake

Merged your post into this thread.

The non-progress on the Whonix side is documented in this thread. Since I don’t think there was progress on Make a deb of snowflake and get into Debian (#19409) · Issues · Legacy / Trac · GitLab and since no one else volunteers to work on it, I don’t think any progress should be expected anytime soon.

Ability to connect to Snowflake bridges has been added to TBB alpha 9.x

1 Like

I’m using Qubes 4. I really need to use snowflake since that’s basically the only thing that can work in my work network (right now I’m writing this using a qubes vm with tor browser alpha - not whonix so not the best thing out there from the security standpoint). I can get snowflake-client and move it to whonix-gw but what do I need to do after?

Using snowflake is now documented. Unfortunately for advanced users only.

Configure (Private) (Obfuscated) Tor Bridges

Advanced users only, because:

The difficult part is getting snowflake-client into Whonix-Gateway ™. This is why this is for advanced users only. The binary snowflake-client can be found for example in /var/cache/tb-binary/.tb/tor-browser/Browser/TorBrowser/Tor/PluggableTransports/snowflake-client in Whonix-Workstation ™ [10] or in the Tor Browser download for Linux from torproject.org. Once extracted it is in the tor-browser folder in sub folder ./Browser/TorBrowser/Tor/PluggableTransports/snowflake-client . Once snowflake-client is somewhere in Whonix-Gateway ™, it needs to be copied to /usr/bin/snowflake-client.

Thanks a lot Patrick for that entry! Unfortunately that’s not working currently since it’s lacking certain steps and there’s an another bug going on (if a workaround is known please let us know since it’s the only blocker to using snowflake):

sudo chmod +rx /usr/bin/snowflake-client 

is needed otherwise one gets a permission denied when tor tries to launch snowflake.

One also needs to add this line:

/usr/bin/snowflake-client ix,

to /etc/apparmor.d/abstractions/tor and then reload apparmor using sudo service apparmor restart

(thanks to David Fifield for posting these instructions on
https:// trac. torproject. org/projects/tor/ticket/24203 )

Yet after all this snowflake doesn’t start and the reason is found when running /usr/bin/snowflake-client -h:

/usr/bin/snowflake-client: /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `CXXABI_1.3.11' not found (required by /usr/bin/snowflake-client)

How can I fix this issue? Which package would need updating?

1 Like

Apparently this should be fixed in the next Tor Browser alpha, /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `CXXABI_1.3.11' not found (required by ./TorBrowser/Tor/PluggableTransports/snowflake-client) (#31380) · Issues · Legacy / Trac · GitLab

In the meantime I will try another snowflake-client from an earlier version and see how it goes.

PS: Another important thing, when connecting to Tor through snowflake fails then Tor immediately switches to a direct connection to the Tor network, this is potentially dangerous in many environments. Does anyone know how to avoid this?

1 Like

I tested on Qubes-Whonix only but should be same in Non-Qubes-Whonix.

r:
Outdated version of Whonix / security-misc where we had umask changes.

x:
should be already. But depending on how the file was transferred in Whonix-Gateway this may be required indeed.

Already there. See footnote.

anon-gw-anonymizer-config/etc/apparmor.d/local/system_tor.anondist at master · Whonix/anon-gw-anonymizer-config · GitHub

Do you have file /usr/lib/x86_64-linux-gnu/libstdc++.so.6 on your system?

dpkg -S /usr/lib/x86_64-linux-gnu/libstdc++.so.6

libstdc++6:amd64: /usr/lib/x86_64-linux-gnu/libstdc++.so.6

Install.

sudo apt install libstdc++6

I don’t think it’s possible to not have that package installed.

I used Tor Browser version 9.0a6 to extract snowflake-client. That might make a difference too.

Yes it’s a brand new sys-whonix from Qubes,

libstdc++6 is already the newest version (6.3.0-18+deb9u1).

me:

libstdc++6 is already the newest version (8.3.0-6).

Are you sure you have Whonix 15 (Debian buster based)? And not Whonix 14 (Debian stretch based) (deprecated)? For me:

cat /etc/whonix_version

15

Are you sure?

If yes, please reproduce on Debian (buster) and then report to The Tor Project https://trac.torproject.org.

Thanks again for all of the valuable help, so it seems I only have Whonix 14, I just upgraded to 15.

Yes, since I didn’t put UseBridges 1 in 50_user.conf, please add it to the wiki as well. Now snowflake works!!!

Last question: Whenever I restart sys-whonix the /usr/bin/snowflake-client gets deleted, so should I make thse changes to the whonix gateway template??

1 Like

Yes.

Hi everyone! I’m the “i0k0rw” in the thread above (had to make a new account since I lost the password of that one lol)

Unfortunately snowflake stopped working after 11-06-2020 (after Whonix updates?). I still don’t know what the issue is but I followed all the steps on installing snowflake (from the latest Tor Browser alpha) and it’s not working. /usr/bin/snowflake-client is able to load up, however when I see on nyx all I find is:

[NOTICE] New control connection opened.
[NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
[NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
[NOTICE] Tor 0.4.2.7 opening log file.

I’d appreciate any help.

Edit: Precision: snowflake is working fine with the Tor Browser alpha on a debian-9 Qubes VM.

Since July 6, Tor browser has included Snowflake as a pre-packaged proxy option.

I love Snowflake, and I use it often to connect to the Tor network. I see that the Wiki describes how to add Snowflake to Whonix.

However, now that Snowflake is included in Tor Browser by default, I hope that Whonix Anon Connection Wizard will soon include Snowflake by default too. Is there any chance of this happening soon?

Snowflake is in Debian, almost

1 Like

Contribution always welcome.

Do you know f it’s in backports?

Not at time of writing.

https://packages.debian.org/search?keywords=snowflake

Meek removal eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/tpo/anti-censorship/team/-/issues/33

1 Like